PPAD: Privacy Preserving Group-BasedADvertising in Online Social Networks

Sanaz Taheri BoshrooyehKoç University, Istanbul, Turkey

staheri14@ku.edu.tr

Alptekin KüpçüKoç University, Istanbul, Turkey

akupcu@ku.edu.tr

Öznur ÖzkasapKoç University, Istanbul, Turkey

oozkasap@ku.edu.tr

Abstract—Services provided as free by Online Social Networks(OSN) come with privacy concerns. Users’ information kept byOSN providers are vulnerable to the risk of being sold to theadvertising firms. To protect user privacy, existing proposalsutilize data encryption, which prevents the providers from mon-etizing users’ information. Therefore, the providers would not befinancially motivated to establish secure OSN designs based onusers’ data encryption. Addressing these problems, we proposethe first Privacy Preserving Group-Based Advertising (PPAD)system that gives monetizing ability for the OSN providers. PPADperforms profile and advertisement matching without requiringthe users or advertisers to be online, and is shown to be securein the presence of honest but curious servers that are allowed tocreate fake users or advertisers. We also present advertisementaccuracy metrics under various system parameters providing arange of security-accuracy trade-offs.

I. INTRODUCTION

Online Social Networks (OSN) such as Facebook, Twitter,and Google+ are in the center of people’s attention due to thefunctionality and networking opportunities they offer. OSNsconsist of three main entities: Server, user, and advertiser.Server supports the OSN’s functions using its storage andcomputational resources. Users are able to share their personalinformation with each other and establish new friendshipsvia OSN. Advertisers ask Server’s help to detect their targetcustomers out of OSN’s users. Despite the attractive servicesthat OSNs offer to the users, sharing personal informationwith these networks raises privacy problems where serversmonetize users’ information by selling them to the advertisingcompanies [23], [26]. To prohibit the accessibility of OSNproviders to the plain information of users, secure OSNdesigns that employ data encryption are proposed [11], [10],[30], [32], [2], [3]. While these solutions provide tangiblebenefits to the users’ privacy, they neglect the role of advertiseras part of the OSN, which results in monetizing inability forthe server [31]. Thus, OSN servers are left with no financialmotivation to establish such secure OSN services.

The lack of a convincing commercial model for secureOSNs is our main motivation to propose a Privacy PreservingADvertising (PPAD) system for OSNs. PPAD can be incorpo-rated into secure OSN designs (where the OSN’s functionalitymeet data confidentiality) to provide advertising service. Yet,achieving the best of both worlds is impossible: we provide atrade-off between personalized advertising accuracy and userprofile privacy. We first define these terms, explain why it isimpossible to achieve some goals simultaneously, and show

how we achieve a solution whose parameters can be tweakedfor various settings.

In PPAD, we introduce the notion of group-based adver-tising on the encrypted data. By group-based advertising, weaim to cope with the security issues raised by the personalizedcounterparts [35], [20]. In fact, performing personalized adver-tising on the encrypted data will ultimately violate user pri-vacy. The reason is that knowing that a particular advertisingrequest (which is a set of attributes) is matched to an encryptedprofile implies that the profile entails the attributes listed in thatrequest. Therefore, although the matching is performed on theencrypted data, the server is able to learn the profile contenti.e., user’s attributes. This cannot be prevented using any(cryptographic) method unless one (unrealistically) assumesthat the adversarial server cannot create fake advertisementrequests targeting known attributes.

One remedy of this problem is that the final matching resultmust be computed in the encrypted format (server does notlearn the result) and then the results are sent to the user toopen and read. However, this approach is cumbersome as theuser has to open (decrypt) all the matching results (which islinear in the total number of advertising requests) and retrievethe matched advertisements from the server in an obliviousway (which again incurs a high load).

Due to this privacy concern, we define a new advertis-ing paradigm called group-based advertising. In short, we(randomly) partition users into groups of equal size at theregistration phase. Then, each advertising request is comparedto the profiles of a group of users and not a single user. Thematching result indicates whether there exist some threshold-many target users among the group members. If it happens,then the advertising is shown to all the group members. Notethat the matching result reveals neither the identity of thematched user nor the number of matched users but only theexistence of at least threshold-many matches. By this method,the matching result is unlikable to an individual profile. Wepropose a formal security definition to capture this notion ofunlinkability.

Another property of PPAD is to keep the advertising pro-cedure transparent to the users/advertisers, similar to theinsecure counterparts. That is, users and advertisers carry nooverhead except uploading their data to the social network.Henceforth, the matching process is operated only by theserver and needless to any constant online connection of the

user or the advertiser. Prior solutions [33], [14], [5], [16], [28],[21] fail to provide the transparency feature. User’s involve-ment in the matching procedure adds an overhead to the userthat grows linearly with the number of advertising requests.This overhead demotivates the user from participating in thePPAD protocol as the user is obliged to stay online until theserver matches user’s profile to the advertising requests. Italso negatively affects the system’s efficiency as the servers’working-time depends on the users’ online time. In PPAD,users receive relevant advertisements, which are found by theserver during the users’ and advertisers’ off-time. We enablethis by utilizing a privacy service provider (PSP) that assistsOSN providers to protect the privacy of their users. A PSPcan be a non-profit or governmental entity that can help usersand multiple providers achieve privacy-preserving advertisingand can be implemented with low cost. Due to their fame andreputation, PSPs are assumed to be non-colluding parties andhence are used in similar privacy-concerned applications [34].

Our contributions in this paper are as follows.• We propose PPAD advertising system that preserves user

privacy and is applicable on the secure OSNs whereusers’ information are encrypted.• In contrast to the existing solutions where secure match-

ing requires both user and advertiser to be permanently orsimultaneously online, PPAD allows users and advertisersto be offline after the registration. Once the matchingis performed offline by the server, the advertisement isshown to relevant users the next time they appear online(or via push notifications, etc.).• We present a formal security definition for user privacy.

We argue that a meaningful security definition in thissetting must allow the adversarial server to control someadvertisers and users. Our system is formally proven tobe secure against the privacy service provider as well asthe server that may additionally employ a number of fakeusers or advertisers.

• We define two performance metrics of Target accuracyand Non-Target accuracy to be used in group-basedadvertising systems. Using empirical analysis, we capturethe effect of group size and threshold value on the systemperformance and discuss their security implications.

II. SYSTEM OVERVIEWModel: An overview of PPAD is shown in Figure 1. Theparticipants are users, advertisers, and the OSN provider(Server) who gets help from a third party that is a privacyservice provider (PSP). In PPAD, the advertiser specifiesthe attributes of its target users, and uploads an advertisingrequest to the Server as a Bloom filter. We define an adver-tising request to be a conjunction of several attributes e.g.,{Artist,Player,Scientist}. Users are (randomly) partitionedinto groups of size k at the registration phase. As discussed,this grouping is necessary for user privacy, and must not bedone based on similar interests. To preserve confidentiality,users encrypt their Bloom filters using additive homomorphicencryption and secret sharing techniques before submission toServer. To provide provable security, PPAD requires users to

SocialNetworkProvider(Server)

AdvertiserRegistersanAdvertisingRequest

User

StoresAdvertisingRequestsand

EncryptedProfiles

PrivacyServiceProvider(PSP)

Secret Key UserReceivesGroupInformation

Advertiser

• UserRegistersorUpdatestheEncryptedProfile

• UserReceivesAdvertisements

PSPandServerFindtheMatchingResults

Fig. 1: PPAD system overview

encrypt their data using two different public keys PK1 andPK2. The decryption power i.e. the corresponding secret keysSK1 and SK2 are given only to PSP, but PSP never receivesthese individual profiles.

For each group, if at least threshold-many group members’profiles entail the same attributes listed in the advertisingrequest, the group is marked as a target group. The adver-tisement is then presented to all members of the target groups(since advertising to a subset would require violating privacy).Afterwards, the social network provider charges the advertiserbased on the number of target groups (hence users) foundfor its advertising requests. The group size and threshold areparameters that affect both advertisement accuracy and userprivacy. We analyze this trade-off in Section V.Security Goals: In PPAD, our security goal is to protect thelink-ability of a successful match to a specific member. Thatis, when a group is marked as a target group, the server shouldnot be able to say which members of that group exhibit theattributes in the advertising request.

However, it is important to realize that there is alwaysan implicit and inherent privacy leakage in any advertisingsystem, regardless of how secure it is designed. This leakageis that as soon as the server obtains the matching result,it understands the inclusion or exclusion of some specificattributes among the group members, although the matchingis performed entirely on the encrypted profiles. In group-based advertising, the inclusion or exclusion of attributes inthe group is unlinkable to a particular group member, while inthe personalized counterpart, the matching result immediatelybreaks user privacy.Security Assumptions: What we presume in PPAD is thatthe main adversary of user privacy is the social networkprovider, i.e., Server, (or an attacker controlling it) who maybe curious to link the matching results of each group to theindividual members. In this regard, the server may employpolynomially-many advertisers and take control of some ofthe users in each group. If the Server manages to controlall but one member of some group, the same argumentsagainst the impossibility of providing privacy in a personalizedadvertisement system apply. Therefore, we necessarily assumethat at least two users per group are honest.

Moreover, the Server is assumed not to be able to colludewith the privacy service provider, i.e., PSP. We believe thatsuch a non-profit or governmental organization would notcooperate with the social network provider against user privacydue to the fame and reputation concerns. Hence, privacy

service providers are assumed to be non-colluding parties andare used in similar privacy-concerned applications [34]. InSection VI-B, we formally prove that neither PSP nor theServer would be able to violate user privacy.

Since we employ PSP as an external entity, it is importantthat it can be implemented with low cost, requiring minimalchange in the OSN system. In PPAD, users contact PSPonly during registration to receive some anonymous, non-personalized group parameters. Advertisers never need tocontact PSP. Moreover, when PSP helps Server during thematching process, it performs two decryptions and some arith-metic operations per matching (6 milliseconds per matching).Section V-B presents more details on performance.Preventing Compound Group Matching Although groupmatching preserves user privacy, the social network providermay learn the identity of the target users by arbitrarily com-bining profiles of users from different groups and analyzingthe changes in the matching results. To avoid this misbehavior,users of each group are given zero-sum secret shares by PSP.They embed their secret shares in their encrypted profiles.Decryption of individual profiles with different embeddedsecret shares results in garbage values. Thus, any attemptby Server toward grouping arbitrarily chosen users’ profilesfails. The only way to cancel out the secret sharing is toaggregate the profiles of users of the same group, as thenthe secret shares’ summation would be zero. Thus, Serverhas to aggregate profiles of each group separately and sendsthe aggregated data to PSP. Finally, PSP decrypts and de-aggregates the data to find the number of matching usersin the group. We enable aggregation and de-aggregation ofprofiles using super increasing sets (more details are presentedin sections III and IV-A4).Profile Update Insecurity Performing profile update insecure group-based advertising systems comes with a seriousprivacy issue, whose solution hugely degrades system effi-ciency. Essentially, when a member of group modifies herprofile (by adding or removing some attributes), Server cananalyze the changes in the matching results of that group(against advertising requests) before and after user’s profileupdate and realize which attributes the user has modified inher profile. Also, the group-mates are vulnerable to the samesecurity risk. Due to this security problem, if a user wants tomodify her profile, she has to join a new group (similarly hergroup-mates), and the old group is now disfunctional. This isregardless of the underlying (cryptographic) tools employed.

Prior studies with the profile update functionality are notapplicable to the context of advertising in social networks sincethey assume that the user does not share its profile with theserver [33] or they employ an IP Proxy server [12] so that usersanonymously add new preferences to their profiles. The formercontradicts with the advertising transparency and degrades theperformance. The latter is not applicable to OSNs since usersaccess the social network via a particular account and hencethe server observes that the update operation is done under aparticular account.

III. PRELIMINARIES

Bloom Filters: Bloom filters [7] are used to represent sets, andefficiently check whether an element belongs to a set. A Bloomfilter is constructed with an array of p bits, initially zero, and dhash functions, H1(.),...,Hd(.). p is called the size of the Bloomfilter. To insert an element x1 into the Bloom filter, all the hashfunctions are applied on x1 (i.e. i1 = H1(x1),..., id = Hd(x1))and the array cells at indices corresponding to the hash outputsare set to 1. Testing the membership of an element is done byapplying all the hash functions on it (similar to the insertion),and checking that whether all the corresponding indices areequal to 1. If one of them is not equal to 1, then that elementdoes not belong to the set. Otherwise, with the false positive

probability of 1− (1− ((1− 1p )

d)

e)

dthe element belongs to

the set, where e is the number of elements inserted into theBloom filter. In the rest of the paper, BFCreate(inSet) createsa Bloom filter with inSet being the set of input elements.Super Increasing Set: A super increasing set [8] of lengthg is a series of g positive real numbers, {s1,s2, ...,sg}, whereeach element is greater than the sum of its preceding elementsi.e., (∀ j ∈ {2, ...,g} : s j > ∑

j−1i=1 si).

Additive Homomorphic encryption scheme: A public keyencryption scheme (KeyGen,Enc,Dec) is called additive ho-momorphic [18] if for all m0,m1 from the message spaceC0�C1 = Enc(m0)�Enc(m1) = Enc(m0 +m1) where � isan operation defined over ciphertexts. Example is Paillierencryption [27] where� corresponds to the multiplication overciphertexts.Negligible Function: A function f is called negligible if ∀positive polynomials p(.) ∃I s.t. ∀i > I (where i is a realnumber): f (i)< 1

p(i) .Chosen plaintext attack (CPA) security: Consider the fol-lowing experiment, HEncCPA

π,A (λ ), for the public-key encryp-tion scheme π = (KeyGen,Enc,Dec):

1) Run the KeyGen(1λ ) and obtain public key PK andprivate key SK. λ is the security parameter.

2) Adversary A, who is given PK, outputs two messages m0and m1 of equal length from the message space.

3) Pick a random bit b and return to the adversary theencryption of mb i.e. EncPK(mb).

4) A outputs a bit b′. If b == b

′the output of experiment is

1 indicating that A wins, otherwise A loses.Definition 3.1: A public-key encryption scheme is CPA

secure if ∀ probabilistic polynomial time adversary A, ∃ anegligible function negl(λ ) s.t. Pr[HEncCPA

π,A (λ ) = 1] ≤ 12 +

negl(λ )Secret Sharing Secret sharing [4] is a method to disseminatea secret among a set of parties. Consider zero as the secret,one way to create k shares of zero is to generate k−1 sharesrandomly (SSi, i ∈ {1, ...,k−1}) and then set the last share toSSk = 0−∑

k−1i=1 SSi mod q where q indicates the modulus. The

length of the secret shares must be long enough to hide thedata content (longer than the maximum data size). We defineSSGen(k,q) as a function which generates k zero-sum secretshares out of the given message space (i.e., modulus) q.

IV. PPADA. Full Construction

This section presents our full construction, explaining whichparty runs which algorithm at which stage. Throughout theexplanations, x← X demonstrates picking an element x uni-formly at random from set X , and || represents concatenation.

The OSN initialization is launched by PSP to generatesystem parameters. Users register their encrypted profiles inUser Registration. A profile is a modified variant of aBloom filter whose elements are separately encrypted under anadditive homomorphic encryption scheme. Advertisers engagein Advertiser Registration protocol to submit an advertisingrequest as a Bloom filter. The Server cooperates with PSP inthe Advertisement protocol to find the target groups for eachadvertising request. In short, for every group and advertisingrequest pair, the Server aggregates encrypted profiles of usersin that group and sends the aggregate as well as the adver-tising request to PSP. Consequently, PSP checks if the groupmatches to the request and responds to Server accordingly.1) OSN initialization (OSNInit)Server: The Server initializes a database as DB.PSP: PSP determines the security parameter 1λ and the thresh-old value. It establishes an additive homomorphic encryptionπ=(KeyGen,Enc,Dec) scheme with message space MSpace,and generates (PK1, SK1) and (PK2, SK2) as two pairs of publicand private keys. We need two sets of key pairs for the securityproof to work. The reason will be apparent in Section VI-B.2) User Registration (UReg)

UReg protocol is shown by Figure 2.PSP: User connects to PSP via a secure and server authenti-cated channel to receive its group related information. Initially,PSP determines the group identifier GID of the user. GIDscan be assigned according to the users’ arrival i.e., the first kusers are assigned to the first group and the second k usersto the second group, etc. Note that a group needs to be fullto be advertised to, since the secret shares will not sum up tozero otherwise. PSP generates a fresh set of k secret sharesas GSS = {SS1, ...,SSk} per group and assigns shares to theusers.

Also, PSP assigns a delimiter, D, to each user such that Dis unique among group-mates. Each user embeds its delimiterin the profile. The structure of delimiters is given in Equation1. Delimiters exhibit the property of a superincreasing set andhelp in aggregation and de-aggregation of members’ profilesduring the advertisement protocol. PSP generates a set of kdelimiters denoted by DSet once and uses them for everygroup.

∀ j ∈ {1, ...,k},D j >j−1

∑i=1

Di ∗ p (1)

User: To make a profile, users may enter their preferences intoa well-structured form like a Facebook profile. However, thepresentation of profile form to the users is an orthogonal issueto the PPAD. Ultimately, all the collected attributes (denotedby AttSet) are transformed to a modified version of a Bloomfilter at the user side. In Algorithm 1, first a Bloom filter,P f , is generated out of AttSet. Then, each bit i of Bloom

Algorithm 1 PCreate(AttSet, D, SS, PK)

1: P f = BFCreate(AttSet)2: EP f = {EncPK(P fi ∗D+SS)}1≤i≤p3: return EP f

filter i.e., P fi is updated to P fi ∗D+SS. In words, we replacethe 0-bit values of Bloom filter with user’s secret share andthe set bit values with the summation of the user’s secretshare and delimiter. This modification helps in two regards,first, to enable aggregation and de-aggregation by the help ofdelimiters, and second, to prevent compound group matchingusing secret shares (see the advertisement protocol). Finally,each modified element of Bloom filter is encrypted under thepublic encryption key PK given as input to the Algorithm 1.

The user selects its username UName, and generates twoencrypted profiles EP f and ˆEP f by running Algorithm 1under two public keys PK1 and PK2, respectively. Then ituploads its encrypted profiles EP f , ˆEP f alongside UNameand GID to Server.

Server: Server receives the encrypted profiles and insertsthem into the database DB.

Fig. 2: User Registration protocol (UReg)

Fig. 3: Advertiser registration protocol (AdReg)

Fig. 4: Advertisement protocol (Ad)

3) Advertiser Registration (AdReg)AdReg is shown in Figure 3. During AdReg, the advertiser

registers its advertisement request under its name i.e. PNameinto the OSN. Advertiser specifies a set of attributes denotedby TAud for its target audience. The advertiser creates arequest as a Bloom filter out of TAud. Then, it submitsthe Bloom filter, its name and the product to be advertisedto Server. Advertising request preserves the AND operationbetween the targeted attributes. For example, a single requestmay target users with both attributes X AND Y. However, anadvertising request which targets X OR Y must be split andsubmitted as two separate requests: one for X and the other

for Y. Server registers the request, assigns a unique requestidentifier RID, and sends RID to the advertiser.4) Advertisement (Ad)

Figure 4 represents the Ad protocol. During the Adprotocol, Server first retrieves an advertising request i.e.,(RID,PName,Product,Req) from DB. Next, to find the match-ing between the request and each group of users, Server andPSP interact as follows (both users and advertisers areoffline during this procedure, which is one of our maincontributions):Server Aggregate: Server checks whether the advertisingrequest is already matched against the group or not. If it is notmatched, then Server retrieves profiles of group members andproceeds to the aggregation phase. As we already mentioned,the aggregation helps cancel out the secret shares embeddedin users’ profiles (as discussed in Section II, the purpose ofsecret shares is to prevent compound group matching).To aggregate profiles, we utilize the fact that a profile P f(which is a Bloom filter according to Algorithm 1) matchesthe advertising request Req if for every set bit position of Reqthe corresponding bit in P f equals to 1. More formally, P f isa target for Req if

∀1≤ i≤ p s.t. Reqi = 1 → P fi = 1 (2)Stated differently, P f matches Req if the sum of set bitvalues of Req (we denote it by |Req|) equals to the sum ofcorresponding bit values in P f . Due to this reason, we areonly interested in the elements of a profile corresponding tothe set bit positions of Req. As the first step of aggregation, wetake out and sum up the encrypted elements of each profile inaccordance with the set bit positions of Req. More formally,

A = ∏1≤i≤p|Reqi=1

EP fi = EncPK( ∑1≤i≤p|Reqi=1

P fi ∗D+SS) (3)

The second part of equality in Equation 3 holds due toutilization of an additively homomorphic encryption scheme.The Server performs this procedure for each profile of thegroup and obtains A1, ...,Ak. Finally, the Server sums up A jvalues and obtains

EAggGP f =k

∏j=1

A j = EncPK(k

∑j=1

∑1≤i≤p|Reqi=1

P f j,i ∗D j +SS j)

= EncPK(k

∑j=1

∑1≤i≤p|Reqi=1

P f j,i ∗D j +k

∑j=1

∑1≤i≤p|Reqi=1

SS j)

= EncPK(k

∑j=1

∑1≤i≤p|Reqi=1

P f j,i ∗D j + ∑1≤i≤p|Reqi=1

k

∑j=1

SS j︸ ︷︷ ︸=0

)

= EncPK(k

∑j=1

∑1≤i≤p|Reqi=1

P f j,i ∗D j)

= EncPK(k

∑j=1

D j ∗ ∑1≤i≤p|Reqi=1

P f j,i) (4)

As it can be easily verified from Equation 4, EAggGP f isthe encryption of sum of bit values of profiles (Bloom filters)multiplied by their corresponding delimiters (D j). PSP willemploy delimiters to extract individual matching results. Theaggregation procedure is summarized in Algorithm 2.

Algorithm 2 Aggregate(EP f1, ...,EP fk,Req)

1: for 1≤ j ≤ k do2: A = ∏1≤i≤p|Reqi=1 EP f j,i3: end for4: EAggGP f = ∏

kj=1 A j

5: return EAggGP f

PSP: PSP decrypts the aggregated data (PSP possesses twosecret keys SK1 and SK2. It may use one or both of the keysto obtain the plaintext data. Since Server is assumed to behonest but curious, the encryption under PK1 is consistent withthe encryption under PK2). Then, PSP counts the number ofprofiles matched to the request by proceeding as follows. Wedenote the decryption of EAggGP f by AggGP f , that is

AggGP f =k

∑j=1

D j ∗ ∑1≤i≤p|Reqi=1

P f j,i (5)

Let us reformulate AggGP f by extracting the first term of theouter summation as

AggGP f = Dk ∗ ∑1≤i≤p|Reqi=1

P fk,i +k−1

∑j=1

D j ∗ ∑1≤i≤p|Reqi=1

P f j,i

(6)Using Equation1, we know that

Dk >k−1

∑j=1

D j ∗ p >k−1

∑j=1

D j ∗ ∑1≤i≤p|Reqi=1

P f j,i (7)

Therefore, if we divide AggGP f by Dk we obtain the quotientand the remainder as indicated in Equation 8:

AggGP f = Dk ∗ ∑1≤i≤p|Reqi=1

P fk,i︸ ︷︷ ︸Quotient

+k−1

∑j=1

D j ∗ ∑1≤i≤p|Reqi=1

P f j,i︸ ︷︷ ︸Remainder

(8)The Quotient is the summation of bit values of P fk inaccordance with the set bit positions of Req. Thus, if theQuotient equals to |Req|, then P fk is a match. PSP continuesthe iteratively on the Remainder, using Dk−1 for the nextdivision. At any step that the number of target users exceedsthe threshold, PSP sends Yes to the Server and stops. If it wasnot the case, PSP responds No. The process of matching ispresented in Algorithm 3. Note that, the delimiters enabled usto extract the matching result of individual members from theaggregate, but PSP does not have any information regardingthe individual profiles and usernames.Algorithm 3 Match(AggGP f , |Req|)

1: count = 02: for D j ∈ DSet, j ∈ {k, ...,1} do3: if AggGP f

D j== |Req| then

4: count = count +15: if count == T hreshold then return Yes6: end if7: end if8: AggGPf= AggGPf mod D j9: end for

10: return No

Server Show: Based on the PSP’s response, Server eitheradvertises the Product for all the members of the group, or

Overhead\Entity User Advertiser Server PSPUser registration O(p) - - -

Advertiser registration - O(1) - -Advertisement - - O(k.|Req|) O(1)

(a) Running Time (per matching)

Overhead\Entity User Advertiser Server PSPUser registration O(p) - O(p) -

Advertiser registration - O(p) O(p)Advertisement - - O(1) O(1)

(b) Communication Complexity (per matching)

TABLE I (a) Running time based on the homomorphic operations.(b) Communication complexities (number of message transmis-sions). k: number of users per group. p: size of Bloom filter. |Req|:number of set bits in each advertising request, which is O(e.d)where e is the number of attributes in each request and d is thenumber of hash functions used in the Bloom filter construction.

skips that group. The total number of target groups is countedand stored for monetizing purposes.

For each advertisement request, the protocol above is re-peated for each group that is not yet matched with the request.Since we prevent group compounding, matchings can beperformed in parallel. This means, while the computationalcomplexity scales, communication rounds do not need toincrease with the number of yet unmatched groups.

V. PERFORMANCEA. Asymptotic Performance

Table Ia shows the computational overhead of each entityin PPAD based on the number of homomorphic operations. ncorresponds to the total number of users in the OSN, and mcorresponds to the total number of advertising requests.Users The user carries O(p) computational overhead, onlyonce, to element-wise encrypt its Bloom filter under PSP’spublic keys where p is Bloom filter’s size.Advertisers The advertiser does not perform any crypto-graphic operation.Server The running time complexity of Server to aggregateusers’ profiles within their corresponding groups is O(k.|Req|)where |Req| is the number of set bits in the Bloom filter ofthe advertising request. Server carries this overhead per groupand advertising request pair. In total, there are n

k groups and madvertising requests, hence the total overhead of Server yieldsto O(m. n

k .k.|Req|) = O(m.n.|Req|).PSP: For a single matching, PSP has the running time com-plexity of O(1) (to decrypt the group aggregated profiles). PSPperforms the matching procedure per group and advertisingrequest pair, which in total leads to the complexity of O(m. n

k )for its lifetime.

Table Ib demonstrates the communication complexity ofeach entity during the execution of each protocol. Users andadvertisers need to share their Bloom filters with Server.Thus, O(p) message transmission is required. Server and PSPcommunicate O(1) messages to check the matching between asingle group and an advertising request. For n users ( n

k groups)the total communication overhead of Server and PSP is O( n

k ).B. Concrete Performance

The running times are computed by executing PPAD over1000 randomly generated profiles of 400 attributes (basedon our personal experience of Facebook advertising, 400

attributes is approximately the maximum number) under thegroup size of 5. The advertising request is presumed to have 30attributes (for randomly generated profiles, almost no match isfound for an advertisement with more than 30 attributes). Theresults are taken on an Intel i5 2.60 GHz CPU, using 2048 bitkeys for Paillier encryption scheme. Under this configuration,Server matches a single advertising request to a single groupin 50 ms whereas running time of PSP is 6 ms, which isalmost an order of magnitude better than that of Server. Profilecreation time is 750 ms (done once per user) and creating anadvertising request takes 0.5 ms.C. Advertisement Accuracy Metrics

In order to analyze the effect of different group sizes andthreshold values on the advertising performance, we definetwo performance metrics, namely Target accuracy and Non-Target accuracy.

Target accuracy indicates the fraction of target users whoare served by the advertisement, as formulated in Equation 9

Target accuracy =Number of target users served by theadvertisementTotal number of target users

(9)This metric is in compliance with the advertiser desire whowants to reach as many target users as possible. Due to thenature of group-based advertising, the Target accuracy is notalways 100% since the target users in groups with fewer thanthreshold-many target users are not shown the advertisement.

Non-Target accuracy as shown in Equation 10 is thefraction of non-target users that are not served an (irrelevant)advertisement.

Non-Target accuracy=

Number of non-target users notserved by the advertisementTotal number of non-target users

(10)The higher value of this metric indicates that users are lesslikely to be shown irrelevant advertisement (hence more ac-curate is the advertising and less disturbing).

Note that the Target accuracy and Non-Target accuracy aremeaningful only in the group-based advertising paradigm andnot in personalized counterparts (where both measures areperfectly satisfied with the cost of privacy loss).

We additionally define the notion of target coverage, whichis the fraction of target users, as follows:

Target Coverage =Number of target usersTotal number of users

(11)The coverage value depends on the attribute distribution inprofiles as well as the content of the advertisement. In ourexperiments, we target various levels of coverage and analyzethe effect of our system parameters.D. Advertisement Accuracy Results

We explore the effect of group size and threshold valueon the Target accuracy and Non-Target accuracy. The resultsare taken over 100,000 profiles with three different targetcoverage values (10%, 50% and 90%) as demonstrated inFigure 5. The results present that under a specific groupsize, increasing the threshold value improves the Non-Targetaccuracy. This behavior is expected since having a higher

threshold guarantees that more target customers are in thetarget groups (compared to the lower thresholds). Hence insuch settings, the higher percentage of target group membersare real target customers i.e., the Non-Target accuracy ishigher. On the contrary, the Target accuracy has the inverserelation with the threshold value. Indeed, higher thresholdimposes more constraint on the group for being selected asa target. Consequently, the advertiser loses some of his targetcustomers in the groups which do not have enough target users.

On the other hand, with a fixed threshold, as the group sizeincreases, Target accuracy increases but Non-Target accuracydecreases. This happens for all target coverages, since in alarger group with the same threshold, it is easier to findmatching groups, but it also means that potentially more non-target users are shown an irrelevant advertisement.

By inspecting the behavior of Target accuracy and Non-Target accuracy, we find out that a perfect balance betweenthese two metrics is met when the ratio of the threshold tothe group size i.e., T hr

Group Size is close to the target coverage. Werefer to this threshold value as "balanced threshold". Forinstance, under the target coverage 50% and group size 19, thebalanced threshold is 10 with 10

19 = 0.52≈ 0.5. At this balancethreshold, Target accuracy and Non-Target accuracy are 58%and 60%, respectively. We refer to the accuracy achieved atthe balance threshold by balanced accuracy. In Figure 5, thex coordinate of the point where two curves of the same color(i.e., same group size) collide indicates the balanced thresholdand the accuracy at that point (y coordinate) is the balancedaccuracy. After the balanced threshold, the Target accuracydrops while the Non-Target accuracy increases. The inverseoccurs for values less than the balanced threshold.

The simulation results demonstrate that as the group sizeincreases, the balanced accuracy degrades. For example, underthe target coverage of 50%, the balanced accuracy of groupsize 7 (at balanced threshold 4) is 65% whereas in group size19 (at balanced threshold 10) it drops to 58%. The correctnessof this fact can be verified by coverage 10 and 90 as well. Thisimplies that smaller group sizes are better for accuracy at theirrespective balanced thresholds.

In general, threshold being equal to group size k wouldmean that all users in a matched group have the same attributesin the advertisement in common. Similarly, threshold of 1where the advertisement is not matched would reveal thatno user in that group contains all the attributes in the ad-vertisement. Such leakages are independent of the underlyingmethodology, and hence are not analyzed, but should beconsidered when selecting the parameters.

VI. SECURITYA. Security Definition

PPAD preserves user privacy if no adversary can link asuccessful group-matching result to a particular group member.In another word, the advertising result should not help an ad-versary to identify which user possesses (or does not possess)which attributes. The adversary controls either Server or PSP(since they are non-colluding), together with some users andadvertisers. The adversary is challenged to break the user’s

Fig. 5: Target accuracy and Non-Target accuracyvs threshold for group sizes 2-20. Dashed curvesrepresent Non-Target accuracy and solid ones the

Target accuracy. X axis: threshold. Y axis: accuracy

privacy in a single group. This challenge is modeled as a gameplayed between a challenger and the adversary A. Since thegroups are independent of each other and the protocol is thesame for every group, the failure of the adversary in this gameimplies that PPAD preserves privacy of all the users.

In this game, the adversary is allowed to control k− tusers where k is the group size and t is the number ofhonest users in that group. Adversary registers k− t usersof the group into the system and receives all of their secretinformation. Assume UName1, ..., UNamet are the usernamesof the honest users. Adversary is asked to select t sets ofattributes, AttSet1,...,AttSett . The challenger randomly and pri-vately assigns the attribute sets to the usernames and registersthem into the OSN. Then, the adversary is allowed to registerpolynomially-many advertising requests and obtain the resultsof matching between the requests and the group. Finally, theadversary is challenged to guess which attribute set is assignedto which username. To win the game and break security, theadversary needs to perform noticeably better than the randomguessing probability of 1

t .Observe that as t gets smaller, the adversary has more

control over the group, and hence has more power. But, fort = 1, the adversary wins the game with the probability of 1;therefore t = 2 is the minimum feasible value.

UPrivacyA(λ ): In this game, the challenger acts as thehonest users and honest advertisers. One of the Server orPSP is run by the challenger while the other one is controlledby the adversary A. Adversary A is honest but curious, andmay control polynomially-many advertisers and k-2 users pergroup. The game is played within one group.

1) A runs OSNInit with the challenger.2) Query phase 1:

a) A runs UReg protocol, acting as a user, with thechallenger.

b) A specifies user’s inputs UName,AttSet and asks thechallenger to run UReg protocol over the given inputs.Challenger acts as user.

Part (a) allows the adversary register users fully under hercontrol. Part (b) allows the adversary to register honestusers whose usernames and profiles are known to theadversary.

3) Challenge phase:a) A sends two usernames i.e. Uname0 and UName1 and

two different sets of attributes, AttSet0 and AttSet1.UName0 and UName1 are never registered in anyquery phase.

b) Challenger picks a bit randomly, b←{0,1}, and ex-ecutes the UReg protocol for (Uname0, AttSetb) and(UName1, AttSet b) on behalf of users. b is the com-plement of b.

4) A repeats the query phase 1 until all the k users of thegroup are registered into the OSN.

5) Query phase 2:a) A creates and registers an advertising request by exe-

cuting AdReg protocol acting as the advertiser.b) A selects the inputs of the advertiser for AdReg protocol

and asks the challenger to execute AdReg protocol asan advertiser.

Similar to query phase 1, part (a) allows the adversaryregister advertisement requests fully under her control.Part (b) allows the adversary to register honest advertisingrequests of which are known to the adversary.

6) Query phase 3: A executes the Ad protocol with thechallenger for an advertising request registered as RID.

7) A may adaptively repeat the query phase 2 and 3 poly-nomially many times.

8) A guesses a bit b′. If b = b

′the output of game is 1 (A

wins), otherwise 0 (A loses).Definition 6.1: An OSN with the (OSNInit, UReg, AdReg,

Ad) protocols preserves the user’s privacy, if for every prob-abilistic polynomial time (PPT) adversary A, there exists anegligible function negl(λ ), where λ is the security parameter,such that: Pr[UPrivacyA(λ ) = 1]≤ 1

2 +negl(λ )B. User Privacy Against Server

The security of our design against Server relies on the CPA-security of the underlying encryption scheme. We show thatif a PPT adversary A can win the UPrivacy game with non-

negligible advantage, then we can construct a PPT adversary Bwho runs A as a subroutine and breaks the CPA-security of theencryption scheme. At a high level, since group matching doesnot reveal the identity of the targeted users, but only providesa Yes/No type answer, Server cannot map users’ profilesand usernames using the result of advertising. Therefore, theinformation of Server is restricted to the encrypted data. Thus,the success of adversary A in UPrivacy game implies that Bcan distinguish between the encrypted profiles of users. Thismeans that encryption scheme is not CPA-secure which is acontradiction to the initial assumption. So, using a CPA-secureencryption scheme, our design is secure against Server. Theformal proof follows.

1) Formal Proof

In PPAD, two key pairs for PSP are considered i.e.,(PK1,SK1) and (PK2,SK2). Each data is encrypted underboth keys. Adversary B aims at breaking the CPA-security ofthe encryption scheme associated with the first key pair i.e.,(PK1,SK1).

Theorem 6.1: If the homomorphic encryption scheme π isCPA secure, then PPAD preserves user privacy.

Proof. If there exists a PPT adversary A who can win theUPrivacyA(λ ) with probability 1

2 + ε(λ ) where ε(λ ) is non-negligible, then we can construct a PPT adversary B who canwin the HEnCPA

π,B (λ ) with 12 +ε(λ ) probability. Assume a PPT

adversary A and define: Pr[UPrivacyA(λ ) = 1] = 12 + ε(λ ).

Now consider the PPT adversary B who attempts to breakHEncCPA

π,B (λ ).Adversary B:B is given the security parameter λ and the public key PK1by the CPA challenger.

1) B executes OSNInit protocol with A. B creates PK2,SK2,delimiter set DSet and a set of k secret shares i.e. GSS =SSGen(k,MSpace).

2) Query phase 1 is executed.3) Challenge phase: A sends two usernames UName1 and

UName2 and two sets of attributes AttSet1 and AttSet2. Bpicks randomly two unique delimiters from DSet denotedby D1 and D2 and two unique secret shares SS1 andSS2. B creates two bloom filters out of Att1 and Att2denoted by P f1 and P f2, respectively. B replaces eachbit value bi in P f1 (and P f2), by bi ∗D1 + SS1 (andbi ∗D2 + SS2). The modified bloom filters are denotedby ˆP f1 and ˆP f2, respectively. B sends m0 = ˆP f0|| ˆP f1 andm1 = ˆP f1|| ˆP f0 to the CPA challenger and receives a vec-tor of ciphertexts shown by C = {C1, ...,Cp,Cp+1, ...,C2p}.Set EP f1 = {C1, ...,Cp} and EP f2 = {Cp+1, ...,C2p}. Bcreates two other profiles encrypted under PK2 denotedby ˆEP f1 = PCreate(AttSet1,D1,SS1,PK2) and ˆEP f2 =PCreate(AttSet2,D2,SS2,PK2). B registers EP f1, ˆEP f1and EP f2, ˆEP f2 for UName1 and UName2, respectively.Although, EP f1 and ˆEP f1 (likewise EP f2 and ˆEP f2)may not contain the same attributes, this would not berevealed to A due to the CPA-security of encryptionscheme associated with PK2.

4) A repeats query phase 1 to register all the k users of thegroup.

5) Query phase 2 is executed. The set of all the registeredrequests is denoted by RQ.

6) Query phase 3: A runs the Ad protocol for a request Reqout of RQ. A as Server outputs the aggregation of group’sprofiles i.e., EAggGP f , ˆEAggGP f , and the number of setbits in the advertising request i.e., |Req|. EAggGP f isencrypted under PK1 whereas ˆEAggGP f is encryptedunder PK2.Here is the reason why PPAD utilizes two key pairs. Bothencryptions under PK1 and PK2 contain the same datasince the adversary A is honest but curious (i.e. it followsthe protocol description honestly). Moreover, the orderof attributes’ assignments to the users (either AttSet1 andAttSet2 are assigned to UName1 and UName2 respec-tively, or vice versa) does not affect the aggregated resultand consequently the group matching result. Despite thelack of SK1 at the side of adversary B, having SK2 enablesA to perform the advertising procedure correctly. Thus, Bobtains the plain format of aggregated group’s profiles bydecrypting via SK2. B performs Algorithm 3 and obtainsthe matching result. It sends the Yes or No response toA.

7) Query phases 2 and 3 may be adaptively repeated poly-nomially many times.

8) A outputs a bit b′. B outputs whatever A outputs.

Since B outputs whatever A outputs, B has the same advantageof A to break the CPA security of the encryption scheme. If A’sadvantage ε(λ ) is non-negligible, then B also breaks the CPA-security of the encryption scheme with this non-negligibleadvantage.C. User Privacy Against PSP

PPAD provides information-theoretic privacy for usersagainst PSP. PSP never receives the usernames during theexecution of any protocol. This implies the inability of PSPto obtain a mapping between the data contents, i.e., attributes,and the identity of the data owners.

VII. RELATED WORKSA. Secure Online Behavioral Advertising (SOBA)

In SOBA models, a broker is connected to a set ofpublishers who are web page owners. The broker createsa behavioral profile per user according to the user’s visitson those pages. Broker monetizes by putting the advertiser’sproducts on the publishers’ web pages according to the users’behavioral profiles. We classify SOBA models as publisher-subscriber and push-based designs as shown in Table II.a (alsoconsidering PPAD applied to such a setting). In publisher-subscriber designs [33], [14], [12], users subscribe to theadvertisers’ products. In push-based designs [5], [1] a serverreceives both the users’ profiles and advertising requests, andadvertises each product for a set of target users. Some SOBAstudies require users or advertisers to be online during theadvertising procedure [33], [14], [5], while others allow themto remain offline [1]. Some studies [14], [5] enforce directcommunication between users and advertisers. Outsourced

profiling [5] does not consider user privacy. ObliviAd [1] relieson a trusted hardware (CPU) to protect user privacy.B. Server Assisted Private Set Intersection (PSI)

In the PSI problem, two parties who have two different setsof elements execute a protocol to find the intersection of theirsets. In the server assisted variant of PSI, a server helps theparties to find the intersection of the sets, improving efficiency.Table II.b summarizes the comparison between PPAD andpapers of the server-assisted PSI concept. In the server-assistedPSI studies, the role of the server is to reduce the workloadof parties by carrying the main portion of the computations.However, at least one party still needs to be involved perprotocol execution as in [16], [28], [21] and the obliviousservice provider method of [20]. Parties also need to havedirect communication for sharing some secret information be-fore the execution of the intersection (advertisement) protocol.The public output method of [20] and [35] support offline usersand advertisers, but they fail to protect the privacy of users. Infact, their solution is vulnerable to the plaintext guess attackwhere the server guesses some elements and checks whetherthey belong to the user’s and advertiser’s sets or not.C. Server Assisted Two-Party Computation (2PC)

In server assisted 2PC protocols, two parties, with the helpof a third party, compute a function over their respective inputswhile no party learns the other party’s input. Server-assisted2PC solutions either employ a server to guarantee the fairnessof the protocol execution [13], [22], [24] or to ease the otherparties’ duties by delivering the main computation overhead tothe server. However, users and advertisers are required to beonline and provide some information per function evaluation(advertisement in this case) [17], [19], [13], [25], [15], [9],[6]. [29] proposed a solution which mitigates the necessity ofonline users and advertisers by applying two servers, similarto our approach. But, the number of messages transferred be-tween two servers depends on the function definition (numberof multiplication operations), whereas PPAD supports constantcommunication compexity between two servers.

VIII. CONCLUSION AND FUTURE WORKIn this paper, we proposed the first privacy preserving

advertising system PPAD for secure OSNs with transparencyand group advertising. PPAD protects users’ privacy by em-ploying an external non-colluding privacy service provider. Weproposed a security definition and formally proved the securityof our design under the honest-but-curious adversarial modelwhere the adversary is additionally allowed to control some(fake) advertisers and users. As future work, our aim is toextend PPAD to be secure against fully malicious adversaries,and to efficiently support any Boolean function of the attributesin a single advertising request. We also plan to improve oursolution to reduce the computational cost associated withprofile updates. We believe PPAD constitutes an important firststep regarding monetization for secure OSNs.

ACKNOWLEDGEMENTSWe acknowledge the support of the Turkish Academy of

Sciences, Royal Society of UK Newton Advanced FellowshipNA140464, and EU COST Action IC1306.

Type Method Offline User Offline Advertiser EDC User Privacy No IP Proxy No Trusted-Hardware Sec-Def

PSAdnostic [33] 7 3 3 3 3 3 7

Targeted advertising [14] 7 7 7 3 3 3 3

Privad [12] 3 3 3 3 7 3 7

PBOutsourced profiling [5] 7 7 7 7 3 3 7

ObliviAd [1] 3 3 3 3 3 7 3

PPAD 3 3 3 3 3 3 3

(a)

Method Offline User Offline Advertiser EDC PGA

Privacy aware Genome Mining [28], Scaling PSI to billion elements [16] 7 7 7 3

VDSI [35],Collision Resistant outsourcing PSI [20] public output 3 3 3 7

Collision Resistant outsourcing PSI [20] Oblivious Service Provider 7 7 3 3

Outsourced PSI using homomorphic encryption [21] 3 7 3 3

PPAD 3 3 3 3

(b)

TABLE II (a) SOBAs vs. PPAD. (b) Server Assisted PSIs vs. PPAD. PS: publisher-subscriber, PB: push-based. EDC: Elimination ofdirect communication between users and advertisers. Sec-Def: Existence of formal security definition and proof. PGA: Security againstplaintext guess attack.

REFERENCES[1] M. Backes, A. Kate, M. Maffei, and K. Pecina. Obliviad: Provably

secure and practical online behavioral advertising. In Security andPrivacy (SP). IEEE, 2012.

[2] R. Baden, A. Bender, N. Spring, B. Bhattacharjee, and D. Starin.Persona: an online social network with user-defined privacy. In ACMSIGCOMM, 2009.

[3] A. Barenghi, M. Beretta, A. Di Federico, and G. Pelosi. Snake: Anend-to-end encrypted online social network. In ICESS. IEEE, 2014.

[4] A. Beimel. Secret-sharing schemes: a survey. Springer, 2011.[5] D. Biswas, S. Haller, and F. Kerschbaum. Privacy-preserving outsourced

profiling. In CEC. IEEE, 2010.[6] M. Blanton and F. Bayatbabolghani. Efficient server-aided secure two-

party function evaluation with applications to genomic computation.PET, 2016.

[7] B. H. Bloom. Space/time trade-offs in hash coding with allowable errors.1970.

[8] A. A. Bruen, M. A. Forcinito, A. G. Konheim, C. Cobb, A. Young,M. Yung, and D. Hook. Applied cryptography: protocols, algorithms,and source code in c. 1996.

[9] H. Carter, B. Mood, P. Traynor, and K. Butler. Outsourcing secure two-party computation as a black box. In Cryptology and Network Security.2015.

[10] E. De Cristofaro, C. Soriente, G. Tsudik, and A. Williams. Humming-bird: Privacy at the time of twitter. In Security and Privacy (SP). IEEE,2012.

[11] A. J. Feldman, A. Blankstein, M. J. Freedman, and E. W. Felten. Socialnetworking with frientegrity: Privacy and integrity with an untrustedprovider. In USENIX, 2012.

[12] S. Guha, B. Cheng, and P. Francis. Privad: practical privacy in onlineadvertising. In NSDI, 2011.

[13] A. Herzberg and H. Shulman. Oblivious and fair server-aided two-partycomputation. Information Security Technical Report, 2013.

[14] A. Juels. Targeted advertising... and privacy too. In CT-RSA. 2001.[15] S. Kamara, P. Mohassel, and M. Raykova. Outsourcing multi-party

computation. IACR Cryptology ePrint Archive, 2011.[16] S. Kamara, P. Mohassel, M. Raykova, and S. Sadeghian. Scaling private

set intersection to billion-element sets. In FC. 2014.[17] S. Kamara, P. Mohassel, and B. Riva. Salus: a system for server-aided

secure function evaluation. In CCS. ACM, 2012.[18] J. Katz and Y. Lindell. Introduction to Modern Cryptography. CRC

press, 2014.[19] F. Kerschbaum. Adapting privacy-preserving computation to the service

provider model. In CSE. IEEE, 2009.[20] F. Kerschbaum. Collusion-resistant outsourcing of private set intersec-

tion. In Applied Computing. ACM, 2012.[21] F. Kerschbaum. Outsourced private set intersection using homomorphic

encryption. In CCS. ACM, 2012.[22] H. Kılınç and A. Küpçü. Efficiently making secure two-party computa-

tion fair. In FC, 2016.[23] B. Krishnamurthy and C. E. Wills. Characterizing privacy in online

social networks. In WOSN. ACM, 2008.[24] A. Küpçü and P. Mohassel. Fast optimistically fair cut-and-choose 2pc.

In FC, 2016.[25] P. Mohassel, O. Orobets, and B. Riva. Efficient server-aided 2pc for

mobile phones. PET, 2015.[26] A. Narayanan and V. Shmatikov. De-anonymizing social networks. In

Security and Privacy. IEEE, 2009.[27] P. Paillier. Public-key cryptosystems based on composite degree resid-

uosity classes. In EUROCRYPT, 1999.

[28] C. Patsakis, A. Zigomitros, and A. Solanas. Privacy-aware genomemining: Server-assisted protocols for private set intersection and patternmatching. In CBMS. IEEE, 2015.

[29] A. Peter, E. Tews, and S. Katzenbeisser. Efficiently outsourcingmultiparty computation under multiple keys. IEEE T-IFS, 2013.

[30] J. Sun, X. Zhu, and Y. Fang. A privacy-preserving scheme for onlinesocial networks with efficient revocation. In INFOCOM. IEEE, 2010.

[31] S. Taheri-Boshrooyeh, A. Küpçü, and Ö. Özkasap. Security and privacyof distributed online social networks. In IEEE ICDCSW, 2015.

[32] A. Tootoonchian, S. Saroiu, Y. Ganjali, and A. Wolman. Lockr: betterprivacy for social networks. In CoNEXT. ACM, 2009.

[33] V. Toubiana, A. Narayanan, D. Boneh, H. Nissenbaum, and S. Barocas.Adnostic: Privacy preserving targeted advertising. In NDSS, 2010.

[34] T. Veugen, R. de Haan, R. Cramer, and F. Muller. A framework forsecure computations with two non-colluding servers and multiple clients,applied to recommendations. IEEE T-IFS, 2015.

[35] Q. Zheng and S. Xu. Verifiable delegated set intersection operations onoutsourced encrypted data. In IC2E. IEEE, 2015.